Wireless Access

Good day,

We are working on a setup where we will be installing RAPs at our small branch offices.

We want users at the branch offices to have access to head office resources in the same way as local users, connecting to the same SSID and receiving the same access right. I have been able to set this up with normal tunnel mode. I created a WLAN for our head office that dynamically assigns roles (that assign different vlans) based on the filter-ID attribute returned from NPS, this is working well and if I broadcast this WLAN on the branch AP group it works fine too.

However, being in Zimbabwe bandwidth is very expensive and we don't want to waste it sending non essential traffic back to HQ. What is the best way to go about getting this setup? I looked though a lab guide on split tunnel where they created a separate Virtual AP in split tunnel mode then assigned the same SSID and AAA profile to this.

I did this setup then did a bit of testing, but wasn't able to get the dynamic VLAN assignment to work though the roles. The user would connect and was assigned their role fine, but the VLAN they were assigned was the one from the Virtual AP profile not the one defined in the role. I should also mention that the roles only have an any any any permit rule and the VLAN that we want assigned to that user group, all further restriction is done at our firewall. After getting the VLAN assignment working I assume I will need to create duplicates of these roles that have rules to determine what traffic will be bridged off at the AP, then assign these roles in place of the others for the branches. Is that correct?

I'm still pretty new to controller setup so im pretty sure I am doing something stupid somewhere. Any advice would be really appreciated?

Kind regards
Ciaran

------------------------------
Ciaran Coghlan
------------------------------

Unless something has changed, VLAN derivation (defining a VLAN based on a radius attribute) is not supported with split tunneling, unfortunately.  https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=e8f18e23-cf50-4789-822f-a5c87d861926

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Apr 26, 2021 05:15 AM
From: Ciaran Coghlan
Subject: Dynamic Role assignement with Split tunnel on RAPs

Good day,

We are working on a setup where we will be installing RAPs at our small branch offices.

We want users at the branch offices to have access to head office resources in the same way as local users, connecting to the same SSID and receiving the same access right. I have been able to set this up with normal tunnel mode. I created a WLAN for our head office that dynamically assigns roles (that assign different vlans) based on the filter-ID attribute returned from NPS, this is working well and if I broadcast this WLAN on the branch AP group it works fine too.

However, being in Zimbabwe bandwidth is very expensive and we don't want to waste it sending non essential traffic back to HQ. What is the best way to go about getting this setup? I looked though a lab guide on split tunnel where they created a separate Virtual AP in split tunnel mode then assigned the same SSID and AAA profile to this.

I did this setup then did a bit of testing, but wasn't able to get the dynamic VLAN assignment to work though the roles. The user would connect and was assigned their role fine, but the VLAN they were assigned was the one from the Virtual AP profile not the one defined in the role. I should also mention that the roles only have an any any any permit rule and the VLAN that we want assigned to that user group, all further restriction is done at our firewall. After getting the VLAN assignment working I assume I will need to create duplicates of these roles that have rules to determine what traffic will be bridged off at the AP, then assign these roles in place of the others for the branches. Is that correct?

I'm still pretty new to controller setup so im pretty sure I am doing something stupid somewhere. Any advice would be really appreciated?

Kind regards
Ciaran

------------------------------
Ciaran Coghlan
------------------------------

Ahh, that's a shame. Thank you for the information though.

------------------------------
Ciaran Coghlan
------------------------------

Original Message:
Sent: Apr 26, 2021 05:39 AM
From: Colin Joseph
Subject: Dynamic Role assignement with Split tunnel on RAPs

Unless something has changed, VLAN derivation (defining a VLAN based on a radius attribute) is not supported with split tunneling, unfortunately.  https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=e8f18e23-cf50-4789-822f-a5c87d861926

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Apr 26, 2021 05:15 AM
From: Ciaran Coghlan
Subject: Dynamic Role assignement with Split tunnel on RAPs

Good day,

We are working on a setup where we will be installing RAPs at our small branch offices.

We want users at the branch offices to have access to head office resources in the same way as local users, connecting to the same SSID and receiving the same access right. I have been able to set this up with normal tunnel mode. I created a WLAN for our head office that dynamically assigns roles (that assign different vlans) based on the filter-ID attribute returned from NPS, this is working well and if I broadcast this WLAN on the branch AP group it works fine too.

However, being in Zimbabwe bandwidth is very expensive and we don't want to waste it sending non essential traffic back to HQ. What is the best way to go about getting this setup? I looked though a lab guide on split tunnel where they created a separate Virtual AP in split tunnel mode then assigned the same SSID and AAA profile to this.

I did this setup then did a bit of testing, but wasn't able to get the dynamic VLAN assignment to work though the roles. The user would connect and was assigned their role fine, but the VLAN they were assigned was the one from the Virtual AP profile not the one defined in the role. I should also mention that the roles only have an any any any permit rule and the VLAN that we want assigned to that user group, all further restriction is done at our firewall. After getting the VLAN assignment working I assume I will need to create duplicates of these roles that have rules to determine what traffic will be bridged off at the AP, then assign these roles in place of the others for the branches. Is that correct?

I'm still pretty new to controller setup so im pretty sure I am doing something stupid somewhere. Any advice would be really appreciated?

Kind regards
Ciaran

------------------------------
Ciaran Coghlan
------------------------------